Posts

What Seems to be Going on with MalwareTech’s New Charges

/29 Comments/in , /by

When I wrote this post on the superseding indictment against Marcus Hutchins (MalwareTech) I deferred assessment of the new charges — a differently charged CFAA, a wire fraud, and a false statements charge — until the lawyers weighed in. Last night, the two sides submitted a status report on the superseding indictment, and it’s clear that the government has fixed some glaring problems with its case. (Along the way the defense has argued they need to tweak all but one of the motions they had fully briefed, adding two months to this process, on top of the extra charges.)

By my read, the government has taken a detrimental ruling — that Hutchins will learn of the informant, Randy’s, identity at least a month before trial, if not before, as well as the fact that Hutchins did not, maybe could not, have admitted what they wanted to in his original interrogation but did admit to some other things, and used those setbacks to fix a number of problems with their case.

By my read (not a lawyer, not a judge, looking at just scraps of evidence), the original indictment against Hutchins was drawn up sloppily only as a means to detain him in this country and quickly — the government believed, because this is how things happen in the U S of A — get him to agree to inform on VinnyK and other online criminals. Indeed, fragments of the original interrogation now make it clear that was the intent.

Chartier: I mean, you know, Marcus, I’ll be honest with you. You’re in a fair bit of trouble.

Hutchins: Mmm-hmm.

Chartier: So I think it’s important that you try to give us the best picture, and if you tell me you haven’t talked to these guys for months, you know, you can’t really help yourself out of this hole. Does that make sense?

Hutchins: Yeah.

Chartier: Now, I’m not trying to tell you to do something you’re not doing, but I know you’re more active than you’re letting on, too. Okay?

Hutchins: I’m really not. I have ceased all criminal activity involving

Chartier: Yeah, but you still have access and information about these guys.

Hutchins: What do you mean? Like, give me a name and I’ll tell you what I know about that.

Chartier: All right, why don’t you start out with this list of nics.

As a result of that sloppiness, the government had just thrown a bunch of crimes — CFAA and wiretapping — into the indictment, with the assumption that it’d be enough to turn the guy who stopped WannaCry into the US government’s latest informant.

While there are no guarantees in criminal cases, I think the defense’s arguments that the government had no proof Hutchins intended to damage the requisite 10 computers in Wisconsin, nor that he had intended to install a device to wiretap, were sound. Indeed, this superseding indictment is largely tacit admission that those arguments may well succeed and blow their original case up. Moreover, I suspect there is and will remain (until this thing goes to trial, if it does) a dispute about how much code someone has to contribute to a piece of malware to be considered its author.

But as I said, now that the government is facing going to trial with their informant, Randy, fully exposed, they’ve turned that into a way to revamp the alleged crimes against Hutchins such that they might be sustainable. That’s because — as I pointed out here — while VinnyK is accused of selling malware, Randy has already told the FBI that he used it, and used it to engage in financial crimes.

  • VinnyK (Individual A), a guy who sold a UPAS kit on July 3, 2012, days after Hutchins turned 18, and then on June 11, 2015, sold Kronos, a piece of malware with no known US victims. Altogether VinnyK made $3,500 for the two sales of malware alleged in this indictment. When this whole thing started, the government charged Hutchins mostly if not entirely to coerce him to provide information on VinnyK (information which he said in a chat in the government’s possession he doesn’t have). He’s the guy they’re supposed to be after, but now they’re after Hutchins exclusively.
  • “Randy” (Individual B), an actual criminal “involved in the various cyber-based criminal enterprises including the unauthorized access of point-of-sale systems and the unauthorized access of ATMs.” At some point, in an attempt to limit or avoid his own criminal exposure, Randy implicated Hutchins.

With that in mind, consider the two new main charges the government has added, and added to the conspiracy, in what I imagine is a bid to sustain the prosecution if the earlier problems with the indictment get parts of the rest of it thrown out. In addition to charging Hutchins with the part of CFAA that makes it a crime to attempt to damage 10 or more protected computers, the government is now charging him with the part of CFAA that makes it a crime to intentionally access a computer to obtain information for the purpose of private financial gain. That is, they’ve added the part of CFAA that makes it a crime to profit from stealing information. They’ve also charged Hutchins with wire fraud for attempting to obtain money by false and fraudulent pretenses. (The defense now agrees the government has venue in EDWI, which I suspect has to do with both the focus on advertising here as opposed to operation of code, as well as the claim that Hutchins’ alleged lies thwarted an investigation in the district.)

The first of these is easy to understand. Even in the fragments of Hutchins’ interrogation publicly available, he admitted to selling code.

Chartier: So you haven’t had any other involvement in any other pieces of malware that are out or have been out?

Hutchins: Only the form-grabber and the bot.

Chartier: Okay. So you did say the form-grabber for Kronos, then?

Hutchins: Not the form-grabber for Kronos. It was an earlier one released in about I’m gonna say 2014?

Chartier: And what was the name of that?

Hutchins: Oh, fuck. I really can’t remember. No, I’m drawing a blank. I mean, like, I actually sell the code. I sell it to people and then they do what the fuck they want with it.

They also have a jail transcript of Hutchins telling his boss that he gave Randy malware to pay off a debt. [Note, the defense has taken issue with the accuracy of this transcript.]

Hutchins: Yeah, and there were also some logs that I gave the compiled binary to someone to repay a debt

Salim Neino: You gave a compiled binary to somebody on the chat log?

Hutchins: To repay a debt yeah

[snip]

Neino: Okay, um was the nature of the debt anything significant?

Hutchins: It was about five grand

Neino: Oh not the amount, but was the nature of the debt significant, like was it related to something else, or just your personal debt?

Hutchins: Um he, no he asked me to hold some Bitcoins for him, and my software fucked up, and I lost some of the money

Neino: Oh so you had to pay him back?

Hutchins: Yeah

So while Hutchins did not himself use malware to steal information for the purpose of financial gain, they arguably have him admitting that he sold code that stole information for financial gain and that he gave code that did the same to someone who stole information for financial gain in order to pay off a $5,000 debt. Now, the government still has some work to do to prove that Hutchins’ code had that intent, but at least for this charge they don’t have to point to 10 computers that he intended to damage.

As for the wire fraud, I’m not sure (and I’m not sure the defense is either) but I think they’re now taking a post Hutchins did, criticizing weaknesses in a piece of malware competing with Kronos, and claiming that the post served to defraud upstanding malware purchasers into believing that Kronos was a better product by comparison.

On or about December 23, 2014, defendant MARCUS HUTCHINS hacked control panels associated with Phase Bot, malware HUTCHINS perceived to be competing with Kronos. In a chat with [Randy], HUTCHINS stated, “well we found exploit (sic) [sic] in this panel just hacked all his customers and posted it on my blog sucks that these [] idiots who cant (sic) [sic] code make money off this :|” HUTCHINS then published an article on his Malwaretech blog titled “Phase Bot — Exploiting C&C Panel” describing the vulnerability.

The government may even be planning on arguing that Hutchins used his research into the competition to update Kronos.

In or around February 2015, MARCUS HUTCHINS and [VinnyK], updated Kronos. On February 9, 2015, in a chat with [Randy], HUTCHINS described the update. [Randy] asked, “[D]id you guys just happen to make a (sic) update?” HUTCHINS responded, “[W]e made a few fixes to both the panel and bot.” [Randy] replied, “ah okay yeah read something that vinny posted was curious on what it was exactly.”

In any case, now that the government knows they’re not going to be able to hide Randy, they can use Hutchins’ interactions with him to try to put Hutchins in a cage, when they’ve decided to spare Randy that same cage or at least limit the time he’ll be there.

If I’m right about this, a lot of it brings us back to the final new charge, false statements. The government has charged Hutchins with lying to the same FBI agents that Hutchins accused (with some basis) of lying on the stand. They claim he lied when he told the FBI that “he did not know his computer code was part of Kronos until he reverse engineered the malware sometime in 2016,” because “as early as November 2014, HUTCHINS made multiple statements to [Randy] in which HUTCHINS acknowledged his role in developing Kronos and his partnership with [VinnyK].”

In yesterday’s status report, the defense said they’re going to “request that the government particularize the alleged false statement of Count Nine.” Presumably, they want to know how it is that AUSA Dan Cowhig, on August 4, 2017, represented to a judge that, “Hutchins admitted that he was the author of the code that became the Kronos malware” but are now claiming that he did not admit that. It may well be the language I’ve cited above, where Hutchins cites the UPAS Kit (which he coded as a minor), but says that was not the form grabber used in Kronos.

That’s the kind of charge that not only will depend on the specific language the government has in mind (which is why the defense may well succeed with a bill of particulars demand where they otherwise might not), but also the understanding of how fragments of code become malware, something on which (if Agent Chartier’s past testimony was any indication) the defense is likely to have a much better grasp than the government.

Understand where that puts us, though.

Probably after rediscovering Hutchins’ access to VinnyK and his friends because he had saved the world from repurposed NSA hacking tools, the government slapped together charges in a bid to turn Marcus Hutchins into an informant. When that didn’t work, when Hutchins had the gall to point out how problematic the charges were, the government then upped the ante, turning Hutchins into the primary target, whereas previously VinnyK had been.

We’ve got VinnyK, who used to be considered a big enough criminal to do this to Hutchins, Randy, who the government readily admits stole money from actual Americans, and the guy who saved the world from tools the NSA couldn’t keep safe. You’ve got two FBI agents who have done remarkable work damaging their own credibility (to say nothing of their ability to appear knowledgable about computer code on the stand). And the American taxpayers are going to spend thousands of dollars to try to put Hutchins — and possibly only Hutchins — in prison. That, even though the false statements charges may well come down to a dispute — which both sides have already been arguing — what the definition of malware is.

This is, in many ways, all too typical of how our justice system works; Hutchins is not unique in being targeted this way, nor in having the government double down when he had the nerve to avail himself of the justice system.

But I keep coming back to this: why does the government think that the interests of justice are served for punishing a guy because he achieved renewed notice by doing something good?

The MalwareTech Poker Hand: Calling DOJ’s Bluff

/3 Comments/in /by

With a full poker hand’s worth of filings on Friday, MalwareTech’s (AKA Marcus Hutchins) lawyers are finally revealing the main thrust of their defense. The five filings are:

  1. A motion for a bill of particulars, basically demanding that the government reveal what 10 computers Hutchins and his alleged co-conspirator conspired and intended to damage
  2. A motion to suppress the statements Hutchins made after he was arrested, requesting an evidentiary hearing, based on the fact that Hutchins was high and exhausted and didn’t know US law about Miranda warnings
  3. A motion to dismiss the indictment, arguing on three different grounds that,
    • The CFAA charges (one and six) don’t allege any intent to cause damage to a protected computer (because the malware in question steals data, but doesn’t damage affected computers)
    • The Wiretapping charges (two through five) don’t allege the use of a device as defined under the Wiretap Act, but instead show use of software
    • The sales-related charges (one, five, and six) conflate the sale of malware with the ultimate effect of it
  4. A motion to dismiss the indictment for improper extraterritorial application and venue, effectively because this case should never have been charged in the US, much less Milwaukee
  5. A motion to dismiss charges two and six based on suspected improper grand jury instruction failing to require intentionality

Effectively, these five motions (which are likely to meet with mixed success, but even where they’re likely to fail, will lay the groundwork for trial) work together to sustain an argument that Hutchins should never have been charged with these crimes in the US, and that FBI may have cheated a bit to get the incriminatory statements that might let them sustain the prosecution.

I laid out the general oddity of these charges here, and the background to the Miranda challenge and grand jury instructions here, here, and here.

Hutchins was high and tired, not drunk, for his one minute Miranda warning

While I don’t expect the Miranda challenge (item 2) to be effective on its face, I do expect it to serve as groundwork for a significant attempt to discredit Hutchin’s incriminatory statements at trial. This motion provides more detail about why his defense thinks it will be an effective tactic. It’s not just that Hutchins is a foreigner and couldn’t be expected to know how US Miranda works, or that the FBI only documented that they asked Hutchins if he had drinking alcohol four months after the arrest (as I laid out here). But as the motion notes, the FBI doesn’t claim to have asked whether he was exhausted or otherwise intoxicated.

According to an FBI memorandum, before “initiating a post arrest interview,” an agent asked Mr. Hutchins if he had been drinking that day, and he responded that he had not. That memorandum, written over four months after the arrest, then states that the agent asked Mr. Hutchins “if has [sic] in a good state of mind to speak to the FBI Hutchins agreed.” Mr. Hutchins did not understand it to be an inquiry as to whether he had used drugs or was exhausted.

The initial 302 of the interrogation records Hutchins telling the agents that he had been partying and not sleeping.

Mr. Hutchins discussed his partying while in Las Vegas, as well as his lack of sleep, during the interrogation.

The motion admits that he had been using drugs (of unspecified type) the night before.

As Mr. Hutchins sat in the airport lounge, he was not drinking, but he was exhausted from partying all week and staying up the night before until the wee hours. He had also used drugs.

Nevada legalized the recreational use of marijuana effective July 2017, so if he was still high during this interview, he might have been legally intoxicated under state (but not federal) law. And there’s not a lick of evidence that the FBI asked him about that.

After laying out that the FBI has no record of asking Hutchins whether he was sober (rather than just not drunk), the motion reveals that the FBI couldn’t decide at what time it gave Hutchins his Miranda warning.

An FBI Advice of Rights form sets forth Miranda warnings and reflects Mr. Hutchins’ signature. It is dated August 2, 2017, but the time it was completed includes two crossed out times, 11:08 a.m. and 2:08 p.m., and one uncrossed out time, 1:18 p.m. (which is one minute after the FBI log reflects Mr. Hutchins’ arrest, as noted above).

And as noted before, and reiterated here, the FBI didn’t record that part of his interview.

The motion notes that if the final, current record of the time of warning is correct, then the Miranda warning, including any discussion of how US law differs from British law, took place in the minute after he was whisked away from this gate.

Hutchins recently tweeted that he “slept the entire time I was in prison,” which while not accurate (he was neither in prison nor in real solitary), would otherwise corroborate the claim he was exhausted.

The government’s cobbled case on intentionality and computer law

Items 3 and 5, arguing the law is inappropriately applied and specifically not instructed correctly with regards to two charges, work together to argue that the government has cobbled together charges against Hutchins via misapplying both CFAA and Wiretap law, and in turn using conspiracy charges and misstating requisite intentionality to be able to get at Hutchins.

As I’ve noted, Hutchins’ lawyers have been arguing for some time that the government may not have properly instructed the grand jury on the intentionality required under charges 2 and 6. At a hearing in February, Magistrate Nancy Joseph showed some sympathy to this argument (though is still reviewing whether the defense should get the grand jury instructions). As I noted in that post, whereas the government once claimed it would easily fix this problem by getting a superseding indictment (possibly larding on new charges), they seem to have lost their enthusiasm for doing so.

It’s the combination of the rest of the legal challenge that I find more interesting. The challenge will interact with recent innovations in charging other foreign hackers, especially a bunch of Russians that will make DOJ especially defensive of this challenge. But the motions all cite Seventh Circuit precedent closely, so I’m not sure whether that matters.

Ultimately, this motion makes roughly the same arguments that Orin Kerr made as soon as the indictment came out. As he introduced his more thorough explanation in August,

This raises an interesting legal question: Is it a crime to create and sell malware?

The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability — basically, aiding and abetting a hacking crime.

Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.

Kerr is not flaming hippie, so I assume that these arguments will be rather serious challenges for the government and I await the analysis of this challenge by more Fourth Amendment lawyers. But as he suggested back in August, Hutchins’ team may well be right that this indictment is an overreach.

DOJ still hasn’t explained why it charged Hutchins for a crime with no known US victims

While requests for Bill of Particulars (basically, a request for more details about what the government is claiming broke the law) are usually unsuccessful, this one does two interesting things. It asks the government for proof of damage, including proof of which ten computers got damaged.

Mr. Hutchins asks that the government be required to particularize the “damage” it intends to offer into evidence at trial in connection with the alleged violations of the Computer Fraud and Abuse Act by the two defendants. Mr. Hutchins also asks that the government be required to particularize the “10 or more protected computers” to which it contends the defendants conspired and attempted to cause “damage.”

Whether the motion itself is successful or not, demanding proof that ten computers were damaged helps support the challenge to the two CFAA charges based on whether stealing credentials amounts to damage. It also lays the groundwork for the motion made explicitly in item 4 — that Hutchins should never have been charged in the US, much less Wisconsin.

As I laid out in this piece, it appears likely that charges against Hutchins arose out of back door searches done as part of the investigation into who “MalwareTech” was after he sinkholed WannaCry. For whatever reason (probably because the government thought Hutchins could inform on someone, possibly related to either WannaCry itself or Kelihos), the government decided to cobble together a case against Hutchins consisting — by all appearances — entirely of incidental collection so as to coerce him into a plea deal. When he got a team of very good lawyers and then bail, that put a lot more pressure on the appropriateness of the charges in the first place.

So now, eight months after Hutchins was arrested, we’re finally getting to that question of why the US government decided to charge him for a crime that even DOJ didn’t claim had significant US victims.

The motion starts by noting that Hutchins didn’t do most of the acts alleged, his co-defendant Tran (whom the government has shown little urgency in extraditing) did. But even for Tran’s acts (basically marketing and selling the malware), there’s no affirmative tie made to Wisconsin.

As part of the purported conspiracy, the indictment alleges that Mr. Hutchins created the Kronos software, described as “a particular type of malware that recorded and exfiltrated user credentials and personal identifying information from protected computers.” (Id. ¶¶ 3(e), 4(a).) It also alleges that Mr. Hutchins and his co-defendant later updated Kronos. (Id. ¶ 4(d).)

All other alleged overt acts in furtherance of the purported conspiracy pertain solely to Mr. Hutchins’ co-defendant. Per the indictment, the codefendant (1) used a video posted to YouTube to demonstrate how Kronos worked, (2) advertised Kronos on internet forums, (3) sold a version of Kronos, and (4) offered crypting services for Kronos. (Id. ¶¶ 4(b), (c), (e), (f), (g).)

Aside from a bare allegation that each offense was committed “in the state and Eastern District of Wisconsin and elsewhere,” the indictment does not describe any connection to this District.

While the government has long suggested that the case is in EDWI because an FBI agent located there bought a copy of Kronos, the motion suggests Hutchins’ team hasn’t even seen good evidence of that yet.

Here, the indictment reflects that Mr. Hutchins was on foreign soil, and any acts he performed occurred there. There is no indication that damage was caused in the Eastern District of Wisconsin—or, indeed, that any damage occurred at all. At best, a buyer was present in this District. But the buyer would then need to use Kronos to cause damage in the District for venue to lie. Nothing [i]n the indictment supports that conclusion.

The charging of two foreigners is all the more problematic on the four wiretapping charges, given that (unlike CFAA), Congress did not mean to apply it to foreigners.

There is evidence that Congress intended the CFAA—the legal basis of Counts One and Six—to have extraterritorial application. The CFAA prohibits certain conduct with respect to “protected computers,” 18 U.S.C. § 1030(e)(2)(B), and the legislative history shows that Congress crafted the definition of that term with foreign-based attackers in mind. S. Rep. 104-357, at 4-5 (1996).

The Wiretap Act—at issue in Counts Two through Five—is different, though. That law does not reflect a clear congressional mandate that it should apply extraterritorially. Accordingly, courts have repeatedly found that it “has no extraterritorial force.” Huff v. Spaw, 794 F.3d 543, 547 (6th Cir. 2015) (quoting United States v. Peterson, 812 F.2d 486, 492 (9th Cir. 1987)).

There is a great deal of precedent to establish venue based on where a federal agent bought something. Indeed, the main AlphaBay case against Alexandre Cazes consisted of that (remember that Kronos was ultimately sold on AlphaBay). But that case was based on the illegal sale of drugs and ATM skimmers, not software, which given the challenge to the CFAA and Wiretapping application here, might make the EDWI purchase of Kronos insufficient to justify venue here.

I’m not sure whether this motion will succeed or not. But one way or another, given that the defense appears to have seen no real basis for venue here, this motion may serve as critical groundwork for what appears to be a justifiable argument that this case should never have been charged in the US.

I keep waiting for DOJ to give up this case in the face of having to argue that the guy who sinkholed WannaCry should be prosecuted because he refused to accept a plea deal on charges with no known US victims. But they’re probably too stubborn to do that.

Update: Corrected Joseph’s name. h/t GM.

The Government Built Its Criminal Case against MalwareTech Off Incidental Collection

/13 Comments/in , /by

The government has responded to MalwareTech’s (Marcus Hutchins) demand for more evidence by refusing everything. Along the way, they reveal that the bulk of the case against Hutchins arises from him being incidentally collected off two other criminal suspects, Tran (his co-defendant) and Randy (an informant who provided testimony against him in conjunction with his own criminal exposure).

Twenty-somethings claiming they’re not drunk occifer

As for rebuttals of the points made in his demand, the government has two rebuttals as to the substance of Hutchins’ argument, versus the law. First, they claim that Hutchins told the FBI he wasn’t drunk when they arrested him, contrary to the claim made to support a demand for materials on the surveillance of him leading up to his arrest.

Before the interview started, Hutchins told agents that he was not under the influence of alcohol.

Apparently they made a separate 302 (of unknown date) to memorialize their claim he told them he wasn’t drunk.

In addition to those materials, the government recently disclosed an additional FBI 302 report memorializing the defendant’s statement that he was not under the influence of alcohol at the time of his arrest,

The filing also reveals that there are,

two reports detailing limited surveillance of the defendant on July 26, 2017, and August 2, 2017.

Note, while August 2 is the day Hutchins left Las Vegas, the 26th was not the day he arrived; that was July 21. So they conducted surveillance of him on at least one day while he was in the US hanging out with other hackers at Black Hat, but won’t tell him if they conducted surveillance on the other days.

The government’s “intentional” fuckups may lead to superseding indictments

The government seems to cede Hutchins’ suggestion that it flubbed the language on “intention” versus “knowledge” on at least one and maybe a second charge against him.

Hutchins claims that the indictment is defective because Count Two of the indictment states that the defendant acted “knowingly” instead of “intentionally.” 3 Likewise, despite the fact that Count Six charges an attempt, Hutchins argues Count Six fails to allege that defendant “intentionally” attempted to cause damage to a protected computer.4 This, however is not an allegation of “error in the grand jury proceedings” under Rule 12(b)(3)(A)(v). It is an allegation of a defect in the indictment under Rule 12(b)(3)(B)(v). Thus, if Hutchins truly believes Counts Two and Six are facially defective, he can file a motion dismiss those counts under Rule 12(b)(3)(B)(v).

3 Count Two appears to contain a drafting error because Counts Three and Four, which also allege violations of 18 U.S.C. § 2512, state that the defendant acted “intentionally” rather than “knowingly.” This further undermines Hutchins’ speculation that the grand jury was erroneously instructed.

4 According to Seventh Circuit jury instructions, an attempt means to take a substantial step towards committing the offense, with the “intent to commit the offense.” Therefore, because Count Six is charged as an attempt to violate section 1030, including the word “intentionally” before “attempted” would be unnecessary and redundant.

But they generously offer to fix that problem in a superseding indictment.

The government has already explained to the defense that it will likely seek a superseding indictment in this case. That superseding indictment would address any possible drafting errors noted by the defense.

Given that elsewhere they say the informant, Randy, who provided information against Hutchins, discussed “involvement in creating the Kronos banking Trojan, among other criminal conduct” [my emphasis] with him in online chats, they seem to be suggesting that if the defense makes too big a deal about this they’ll add charges against Hutchins.

Incidentally collected defendants get nothing

Perhaps most interesting, this filing demonstrates the degree to which Hutchins’ prosecution stems from his incidental collection in investigative efforts targeting Tran and Randy. In fact, precisely because he was incidentally collected and not personally targeted, the government claims it doesn’t have to provide affidavits that might explain how — and more importantly, why — they decided to arrest Hutchins.

For example, the government argues Hutchins can’t have the MLAT requests, which are used to ask other countries to provide information for a criminal prosecution. In this case, MLATs obtained  information on Tran, the guy who sold the Kronos malware Hutchins is alleged to have helped write. The government refuses to hand these over, in part, because they don’t get signed by FBI Agents, but instead get signed by lawyers.

Here, the defendant relies on Rule 16(a)(1)(E)(i) in seeking disclosure of MLATs and search warrant applications. But that Rule is inapplicable. With regard to MLATs, they are not signed or attested to by law enforcement agents. Instead, they are signed by an attorney representing the United States. Information received in response to an MLAT that is subject to disclosure under Rule 16 has been, and will continue to be, turned over to the defense in this case. Indeed, the defendant acknowledges that he has received materials responsive to an MLAT request. Doc. #44 at 17. The MLAT request itself, however, is not subject to production. In fact, MLAT requests (rather than the responsive materials) are explicitly excluded from production under Rule 16(a)(2).

Moreover, because the MLAT was targeted at Hutchins’ co-defendant, and not him, he doesn’t get it.

Moreover, the MLAT request submitted in this case related to Hutchins’s codefendant and not Hutchins. As noted above, the government has disclosed materials received in response to the MLAT, but the MLAT itself is not subject to production under Rule 16, Giglio, Brady, or § 3500.

There is one still undisclosed search warrant affidavit in the case. But because that was used to incriminate Randy, the informant, Hutchins won’t get that either.

With regard to search warrant materials, the government has explained to Hutchins that no search warrants were executed that focused on Hutchins’ activities. There was a search warrant executed in an unrelated case that revealed statements made by Hutchins to CS-1, and those statements were turned over in discovery under Rule 16. But, there is no authority supporting the production of that search warrant affidavit or other documents relating to that warrant. The warrant was executed at a residence in the United States and did not involve Hutchins’ property or privacy interests. The affidavit is not subject to disclosure under 18 U.S.C. § 3500 because it was made in connection with an unrelated investigation. Given the separation between this case and the other investigation, the government does not believe at this time that the affiant’s statements in the affidavit supporting that warrant “relate to the subject matter of the testimony” to be presented in this case. 18 U.S.C. § 3500.

The government seems pretty lackadaisical towards Hutchins’ co-defendant

The government’s unwillingness to turn over information on the other alleged criminals in this case is particularly interesting given how uninterested they seem in him. The filing reveals that someone working undercover for the FBI did have discussions with Tran about Kronos (again, this is malware that had no significant US victims in the form Hutchins is alleged to have been involved in it), and they collected postings on it off the Darkode forum.

In support of this request, Hutchins asserts that such items “must be material to preparing Mr. Hutchins’ defense” because the indictment alleges a conspiracy; that “the government may be withholding information that could exculpate Mr. Hutchins”; and that he has a right to “locate the codefendant.” Doc. #44 at 8-9. Because the government has disclosed information relating to the codefendant, and there is no authority supporting the defendant’s request for additional information, his motion to compel the production of this information should be denied.

Of note, Hutchins’ codefendant has not yet been arrested in connection with this case. And, the government has disclosed certain information relating to the codefendant to Hutchins. This includes (1) the codefendant’s name; (2) materials responsive to an MLAT request that included a redacted copy of the codefendant’s passport; (3) undercover chats between the codefendant and the FBI related to the marketing, sale, and distribution of Kronos; and (4) various Internet postings related to Kronos that are attributable to one of the aliases used by the codefendant, including on the now shuttered Darkode forum.

But the government hasn’t obtained any information about the other things Tran was selling on dark markets.

Hutchins’ speculation that “the government must be withholding substantial additional information in its possession,” including information that may show the codefendant acted independently of Hutchins, is not supported. Doc. #44 at 8. While it might be true that the codefendant was involved in criminal activity in addition to distributing Kronos with Hutchins, the government is not suppressing that information. It simply does not possess such information. If additional records in the government’s possession are identified and deemed material, the government will provide those records to the defendant.1

That suggests he’s not really the target here.

More interesting still, the government claims it hasn’t yet identified any records from its AlphaBay seizure pertaining this malware they claim is so important they’ve arrested the guy who stopped the WannaCry malware attack.

1 In his motion, Hutchins states that “the government likely has records of the codefendant’s activities on AlphaBay.” Doc. #44 at 9. The government is still pursing information from the AlphaBay marketplace, but it has not yet located any materials subject to disclosure.

It seems virtually impossible that they wouldn’t find information in the seized servers,  if it was, at all, a priority. Which seems to suggest the opposite — not finding anything — may be a priority.

By providing evidence that suggests the government simply isn’t all that interested in Tran (if, as his name suggests, he’s Vietnamese, he may be beyond any extradition treaty), the government dismisses the possibility that Hutchins or his friends could find Tran (not an unreasonable possibility, because that’s how hackers roll).

[Hutchins] told agents that he knew his codefendant only by various online aliases; his dealings with his codefendant were all online; and he has never met his codefendant in person or even seen a photograph of the codefendant. It therefore makes no sense for Hutchins to claim that, if provided the requested “materials and communications,” he will be able to locate the fugitive codefendant and obtain exculpatory information from that individual.

But along the way, this prevents Hutchins from arguing that this case is all trumped up to go after him, for some reason.

Hiding Randy and the carding charges he’s working off

More interesting, still, the government is going to some lengths to hide Randy, the informant they call CS-1 who provided information on Hutchins.

The list of what they have provided in discovery provides some outline of how they got to Randy.

In reality, the government has produced the following materials related to CS-1: (1) A redacted proffer letter between the government and CS-1; (2) undercover chats between a government cooperator and CS-1 regarding the sale of stolen credit card numbers; (3) chats between CS-1 and Hutchins regarding Hutchins’ involvement in creating the Kronos banking Trojan, among other criminal conduct; and (4) a redacted FBI 302 report (which Hutchins refers to in his motion) memorializing a FBI interview of CS-1 regarding Hutchins and others.

It seems that a third part (the “government cooperator,” who himself may be an informant working off criminal charges) provided the FBI chats showing discussions with Randy of carding activity. This led to the FBI to go after Randy. He, in turn, made a proffer to the government offering to cooperate, presumably in exchange for leniency in his own case. That led to an interview with the FBI where Randy provided information on Hutchins “and others.”

Note that the government doesn’t tell us when all this happened?

The government argues that Randy is a mere tipster who wasn’t (yet) being controlled by the FBI at the time, and so they won’t have to let Hutchins question Randy about these underlying circumstances unless they put Randy on the stand, even though they concede he might (as someone working off his own criminal exposure) might actually be a transactional witness.

CS-1’s position in this case is more of a like a “mere tipster” than a transactional confidential informant. Hutchins sent a copy of the Kronos malware to CS-1 in 2015, but CS-1 was not acting as an agent for the government at that time. If the government called CS-1 as a witness at trial, his/her primary role would be to testify about the third-party admissions Hutchins made during chats with CS-1. Even if the Court found CS-1 acted more like a transactional witness, that finding does not automatically justify disclosure of CS-1’s identity. United States v. McDowell, 687 F.3d 904, 911 (7th Cir. 2012). The defendant would still need to establish that knowing CS-1’s identity is “relevant and helpful to his defense or is essential to a fair determination of a cause,” Wilburn, 581 F.3d at 623. Here, his request for disclosure of CS-1’s identity is based on speculation, which is insufficient. See Valles, 41 F.3d at 358 (“The confidential informant privilege ‘will not yield to permit a mere fishing expedition, nor upon bare speculation that the information may possibly prove useful.’” (quoting Dole, 870 F.2d at 373)).

The government argues that Hutchins is only speculating that learning who Randy is would be material to his defense, and uses that to argue that they don’t have to reveal Randy’s name so Hutchins can test whether it’s material to his defense.

The government generously agrees to give Hutchins Randy’s real name if they call him to testify, but then boast that Hutchins’ jail phone calls mitigate the need to put Randy on the stand.

Nonetheless, the government agrees to disclose CS-1’s identity to the defense if it determines that CS-1 will be a testifying witness at trial.2

2 To be sure, it might not be necessary to call CS-1 as a witness at trial because the defendant was shown the chats he had with CS-1 during his post-arrest interview and the defendant admitted that he was one of the parties in those conversations. Later, the defendant made phone call from jail in which he described the chats as “undeniable.” Therefore, the admissions Mr. Hutchins made to CS-1 are admissible non-hearsay statements, which Mr. Hutchins previously identified as accurate.

There are a slew of reasons Randy’s identity is of particular interest. Not least, that unknown entities engaged in serial credit card fraud to try to disrupt Hutchins’ defense fundraisers. As I’ve suggested, that means that entities engaged in probable criminal credit card fraud made a concerted effort to thwart Hutchins’ ability to mount the most robust defense.

Is the FBI even investigating who disrupted Hutchins’ defense fundraising efforts? Would they do so if it would hurt their case?

All of which leaves the distinct impression that the government isn’t all that interested in the two suspected criminals implicated in the case against him, but are very interested in ratcheting up the pressure on Hutchins himself.

And because they got to Hutchins via incidental collection — and not direct targeting — they might succeed in doing so.

 

Let MalwareTech Surf! Status Report

/5 Comments/in /by

There were several developments in the MalwareTech case late last week.

On Friday, there was a status hearing in his case. Before the hearing, the government submitted a status report revealing that they only provided the malware at issue in the case to Hutchins on October 2, two months after arresting him (the judge approved a protection order on August 21). The government provided five malware samples.

The most recent production was made on October 2, 2017, and contained five malware samples, among other things.

There was also a status hearing Friday. In it, the government revealed they have yet to turn over chat logs from an Internet forum — Hutchins will get that next week.

Govt. notes that there is one more disk to be produced – chats from internet forum on disk to be received from FBI next week.

These may be the ones where, the government claims, Hutchins discussed getting paid for the Kronos malware update. If so, it’s another key piece of potentially rebuttable evidence they’ve taken their time handing over to Hutchins.

The government also has discovery from some foreign country that it is not sure it’ll be able to obtain. This is really sketchy. First, as I’ve mentioned, there are no known US victims of this malware. The victims are in other countries. Is this victim related information? Is it information the government otherwise obtained under EO 12333 that it needs to parallel construct to introduce in this case? Is this from Hutchins’ own government?

There is still an amount of discovery from another country. It is unknown whether it can be obtained by the government. Any information obtained by the govt. will be given to the defense.

In any case, why is the government only now trying to get this evidence? They’ve had two months since the arrest, and three since his indictment.

Finally, an interesting piece of good news. The defense declined to commit to a briefing schedule for fear the government might file a superseding indictment. Given the allegations that Hutchins was involved in other stuff, I had feared the government might indict him on those crimes to further pressure him to plea. But in Friday’s hearing they said if they do file a superseding indictment, it’ll be based on the discovery they’ve already provided to Hutchins, meaning it’ll presumably be on the same alleged malware crime and not any unrelated charges.

The defense notes that it does have concerns regarding the possible filing of a Superseding Indictment and whether there will be more discovery in connection with it. The government has given no details as to the possible filing.

The govt. notes that, if it decides to file a Superseding Indictment, it will relate to discovery already produced or to be produced shortly.

Finally, Hutchins’ lawyers are using the earlier promises the judge made and the malfunction of Hutchins’ GPS tracker in a bid alter the conditions of bail to let Hutchins surf.

During Hutchins’ first hearing in Wisconsin, the judge suggested that after Hutchins had shown a period of compliance, pretrial services could consider lifting his GPS monitoring.

And it will be up to them to decide if — the time at which he’s been sufficiently compliant that they can — they feel comfortable lifting the GPS monitoring, but that will be up to them.

Hutchins’ lawyers reminded the judge of that, even while they provided proof that Hutchins would remain compliant without a curfew or GPS monitoring: Apparently, on a recent trip to the East Coast, his curfew was suspended and his GPS monitor failed, yet he didn’t flee.

Hutchins has continued to comply with his conditions of release, and he traveled to a major city on the East Coast for a few days in September. So that he could catch his early-morning flights, Pretrial Services and the government agreed, with this Court’s approval, that his curfew could be suspended for the duration of his travel. During that trip—through no fault of his own—Mr. Hutchins’ GPS unit refused to take a battery charge and as a result became non-functional. Pretrial Services was alerted to this issue. Mr. Hutchins, of course, did not attempt to flee the country when the GPS unit failed. He simply abided by the rest of his release conditions while on the trip and returned home to Los Angeles as scheduled, where he was fitted with a working GPS unit.

Hutchins’ lawyers argue that the GPS monitor is inconvenient both because it requires two hours each day to charge but also because CA’s GPS monitors can’t be brought on planes, so pretrial services has to swap out the CA GPS monitor for a Milwaukee one any time Hutchins needs to fly.

But the real inconvenience, they admit in a footnote, is that Hutchins lives close to glorious CA beaches but can’t swim or surf.

The GPS unit also cannot be submerged in water. This is relevant because Mr. Hutchins is an avid swimmer and surfer. Engaging in these activities would help him maintain a healthy lifestyle and manage the tremendous stress of his difficult situation.

Given the details on discovery released Friday, my suspicion is the government made this a complex case so they could stall on discovery. If they’re going to do that, by all means Hutchins should be able to enjoy his time in CA.

Update: The government has objected to this request, arguing (ignoring the trip to the East Coast) that there’s no new reason Hutchins is requesting this.

Update: Judge Duffin says Hutchins can surf! There’s a detail in the opinion the government may make hay about, but for the moment, Hutchins is off his GPS and curfew. If he doesn’t watch out he’s going to end up staying in LA forever, once he ditches this charge.

EO 12333 Sharing Will Likely Expose Security Researchers Even More Via Back Door Searches

/6 Comments/in , /by

At Motherboard, I have piece arguing that the best way to try to understand the Marcus Hutchins (MalwareTech) case is not from what we see in his indictment for authoring code that appears in a piece of Kronos malware sold in 2015. Instead, we should consider why Hutchins would look different to the FBI in 2016 (when the government didn’t arrest him while he was in Las Vegas) and 2017 (when they did). In 2016, he’d look like a bit player in a minor dark market purchase made in 2015. In 2017, he might look like a guy who had his finger on the WannaCry malware, but also whose purported product, Kronos, had been incorporated into a really powerful bot he had long closely tracked, Kelihos.

Hutchins’ name shows up in chats obtained in an investigation in some other district. Just one alias for Hutchins—his widely known “MalwareTech”—is mentioned in the indictment. None of the four or more aliases Hutchins may have used, mostly while still a minor, was included in the indictment, as those aliases likely would have been if the case in chief relied upon evidence under that alias.

Presuming the government’s collection of both sets of chat logs predates the WannaCry outbreak, if the FBI searched on Hutchins after he sinkholed the ransomware, both sets of chat logs would come up. Indeed, so would any other chat logs or—for example—email communications collected under Section 702 from providers like Yahoo, Google, and Apple, business records from which are included in the discovery to be provided in Hutchins’ case in FBI’s possession at that time. Indeed, such data would come up even if they showed no evidence of guilt on the part of Hutchins, but which might interest or alarm FBI investigators.

There is another known investigation that might elicit real concern (or interest) at the FBI if Hutchins’s name showed up in its internal Google search: the investigation into the Kelihos botnet, for which the government obtained a Rule 41 hacking warrant in Alaska on April 10 and announced the indictment of Russian Pyotr Levashov in Connecticut on April 21. Eleven lines describing the investigation in the affidavit for the hacking warrant remain redacted. In both its announcement of his arrest and in the complaint against Levashov for operating the Kelihos botnet, the government describes the Kelihos botnet loading “a malicious Word document designed to infect the computer with the Kronos banking Trojan.”

Hutchins has tracked the Kelihos botnet for years—he even attributes his job to that effort. Before his arrest and for a period that extended after Levashov’s arrest, Hutchins ran a Kelihos tracker, though it has gone dead since his arrest. In other words, the government believes a later version of the malware it accuses Hutchins of having a hand in writing was, up until the months before the WannaCry outbreak—being deployed by a botnet he closely tracked.

There are a number of other online discussions Hutchins might have participated in that would come up in an FBI search (again, even putting aside more dated activity from when he was a teenager). Notably, the attack on two separate fundraisers for his legal defense by credit card fraudsters suggests that corner of the criminal world doesn’t want Hutchins to mount an aggressive defense.

All of which is to say that the FBI is seeing a picture of Hutchins that is vastly different than the public is seeing from either just the indictment and known facts about Kronos, or even open source investigations into Hutchins’ past activity online.

To understand why Hutchins was arrested in 2017 but not in 2016, I argue, you need to understand what a back door search conducted on him in May would look like in connection with the WannaCry malware, not what the Kronos malware looks like as a risk to the US (it’s not a big one).

I also note, however, that in addition to the things FBI admitted they searched on during their FBI Google searches — Customs and Border Protection data, foreign intelligence reports, FBI’s own case files, and FISA data (both traditional and 702) — there’s something new in that pot: data collected under EO 12333 shared under January’s new sharing procedures.

That data is likely to expose a lot more security researchers for behavior that looks incriminating. That’s because FBI is almost certainly prioritizing asking NSA to share criminal hacker forums — where security researchers may interact with people they’re trying to defend against in ways that can look suspicious if reviewed out of context. That’s true, first of all, because many of those forums (and other dark web sites) are overseas, and so are more accessible to NSA collection. The crimes those forums facilitate definitely impact US victims. But criminal hacking data — as distinct from hacking data tied to a group that the government has argued is sponsored by a nation-state — is also less available via Section 702 collection, which as far as we know still limits cybersecurity collection to the Foreign Government certificate.

If I were the FBI I would have used the new rules to obtain vast swaths of data sitting in NSA’s coffers to facilitate cybersecurity investigations.

So among the NSA-collected data we should expect FBI newly obtained in raw form in January is that from criminal hacking forums. Indeed, new dark web collection may have facilitated FBI’s rather impressive global bust of several dark web marketing sites this year. (The sharing also means FBI will no longer have to go the same lengths to launder such data it obtains targeting kiddie porn, which it appears to have done in the PlayPen case.)

As I think is clear, such data will be invaluable for FBI as it continues to fight online crime that operates internationally. But because back door searches happen out of context, at a time when the FBI may not really understand what it is looking at, it also risks exposing security researchers in new ways to FBI’s scrutiny.

 

MalwareTech’s Case Gets Complex

/15 Comments/in /by

Today, prosecutor Michael Chmelar and Marcus Hutchins’ lawyers, Marcia Hofmann and Brian Klein, had a phone meeting with judge Nancy Johnson.

Hutchins’ lawyers got the judge to agree to further loosen his bail terms (putting him on a curfew rather than house arrest, it appears). But, after agreeing willingly to most requests last week, the government is now objecting to the change, asking for a stay and reconsideration. Recall, too, that AUSA Michael Chmelar had tacitly agreed to have Hutchins taken off GPS monitoring. We will likely see the substance of their complaint in a motion in the coming days.

The other thing that happened — again, as I reported would happen here — the case got deemed complex, meaning the trial can be delayed without a violation of the Speedy Trial Act. The minutes describe the judge’s approval of the motion for these reasons.

Based on the information presented here, the nature of the charges, the nature and amount of the discovery, the fact that discovery is coming from multiple sources and the fact that some of the information may need independent testing/review, the court will designate this matter COMPLEX.

The most interesting detail here is that independent testing may be required. Probably — especially given researchers are already raising doubts — Hutchins’ lawyers are going to get outside experts to check the government claims that the code sold in Kronos came from Hutchins.

Another detail from the minutes is that Hutchins’ lawyers object to the redaction of the indictment.

The Government gives background of this case and notes that defendant Hutchins is the only party to appear thus far.

[snip]

The defense notes that it objects to the redaction of the Indictment.

The WI courthouse already accidentally revealed the name of Hutchins’ co-defendant, Tran.

In spite of some effort, no one I’ve seen has identified a likely (and sufficiently interesting) co-defendant whose last name is Tran — or a connection between that name and VinnyK, the name currently associated with selling the malware. Presumably, if the co-defendant’s aliases were unsealed, it would be easier for researchers to understand what Hutchins has been accused of, and who he has been accused of conspiring with.

As for the discovery, some of that was provided in the minutes. As I noted, the government turned over Hutchins’ custodial interview (curiously, the minutes don’t specify that they were with the FBI) and the recordings of two calls.

 The government will be following its open file policy. To date, the defendant has provided the defense with the following:

– 1 CD with post arrest statements

– CD with 2 audio recordings from the county jail in Nevada. (The government is awaiting a written transcript from the FBI.)

Here’s what’s left to discovery, with my comments interspersed.

In addition, there are:

– 150 pages of Jabber chats between the defendant and an individual (somewhat redacted).

Were these encrypted or group chats? If the former, via what means did FBI decrypt them? Did someone hand them over to the FBI?

– Business records from Apple, Google and Yahoo.

These would be accessible via Section 702 (though, given the lack of a FISA notice, would likely have been backstopped via subpoena if they were collected via 702).

– Statements (350 pages) to the defendant from another internet forum which were seized by the government in another District.

The government provides no details on what the location (US or overseas) of this forum is — and they describe it as statements to Hutchins rather than statements by him. But their existence shows that another District had enough interest in some conversations Hutchins happened to be involved in that they collected — via whatever means — this forum.

– 3-4 samples of malware

At a minimum, the government needs 3 pieces of malware: Kronos before Hutchins allegedly updated it, Kronos after he did, and the version of Kronos that got sold. Apparently, the government hasn’t decided how many versions they’ll give the defense. And all that still leaves the question of victims; to prove that anything Hutchins did affected any Americans they might need more malware.

In part for that reason, I suspect independent researchers will continue to look for their own publicly available samples.

– A search warrant executed on a third party which may contain some privileged information.

As with the other forum, this suggests the FBI or some other agency was interested enough in another case — or a corporation — such that some kind of privilege might apply. This could, in fact, be a victim.

All of that is what led the defense to request (after the government already said it would do the same, having initially said this wouldn’t be a complex case) that this should be deemed complex, in part so Hutchins’ team can have a couple of months to review what they’re looking at.

The parties agree that the case should be designated as complex. Information is still being obtained from multiple sources. The issues are complex[.] The defendant requests 45-60 days in which to review the discovery. The government notes that it is in agreement with the request.

So it’s a complex case and it’ll drag on until such time as the government gets more coercive to get whatever it is they’re after or they drop the case.

Government Aims to Protect Other Ongoing Investigations in MalwareTech Case

/3 Comments/in , /by

In its request for a protection order governing discovery materials turned over to the defense in the Marcus Hutchins/MalwareTech case, the government provided this explanation of things it needed to keep secret.

The discovery in this matter may include information related to other ongoing investigations, malware, and investigative techniques employed by the United States during its investigation of Mr. Hutchins and others.

The government will always aim to protect investigative techniques — though in an international case investigating hackers, those techniques might well be rather interesting. Of particular interest, the government wants to hide techniques it may have used against Hutchins … and against others.

The government’s claim it needs to hide information on malware will disadvantage researchers who are analyzing the Kronos malware in an attempt to understand whether any code Hutchins created could be deemed to be original and necessary to the tool. For example, Polish researcher hasherezade showed that the hooking code Hutchins complained had been misappropriated from him in 2015, when the government claims he was helping his co-defendant revise Kronos, was not actually original to him.

The interesting thing about this part of Kronos is its similarity with a hooking engine described by MalwareTech on his blog in January 2015. Later, he complained in his tweet, that cybercriminals stolen and adopted his code. Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas. However, it turned out that this technique was described much earlier (i.e. here//thanks to  @xorsthings for the link ), and both authors learned it from other sources rather than inventing it.

Hasherezade may well have proven a key part of the government’s argument wrong here. Or she may be missing some other piece of code the government claims comes from Hutchins. By hiding any discussions about what code the government is actually looking at, though, it prevents the security community from definitely undermining the claims of the government, at least before trial.

Finally, there’s the reference to other, ongoing investigations.

One investigation of interest might be the Kelihos botnet. In the April complaint against Pyotr Levashov, the government claimed that the Kelihos botnet had infected victims with Kronos malware.

In addition to using Kelihos to distribute spam, the Defendant also profits by using Kelihos to directly install malware on victim computers. During FBI testing, Kelihos was observed installing ransomware onto a test machine, as well as “Vawtrak” banking Trojan (used to steal login credentials used at financial institutions), and a malicious Word document designed to infect the computer with the Kronos banking Trojan.

Unlike known uses of Kronos by itself, Kelihos is something that has victimized people in the United States; the government has indicted and is trying to extradite Pyotr Levashov in that case. So that may be one investigation the government is trying to protect.

It’s also possible that, in an effort to pressure Hutchins to take a plea deal, the government is investigating allegations he engaged in other criminal activity, activity that would more directly implicate him in criminal hacking. There’s little (aside from statutes of limitation) to prevent the government from doing that, and their decision to newly declare the case complex may suggest they’re threatening more damaging superseding indictments against Hutchins, if they can substantiate those allegations, to pressure him to take a plea deal.

Finally, there’s WannaCry. As I noted, while the government lifted some of the more onerous bail conditions on Hutchins, they added the restriction that he not touch the WannaCry sinkhole he set up in May. The reference to ongoing investigations may suggest the government will be discussing aspects of that investigation with Hutchins’ defense team, but wants to hide those details from the public.

Update: I’ve corrected the language regarding Kelihos to note that this doesn’t involve shared code. h/t ee for finding the reference.

MalwareTech’s FBI-Induced Tour to Milwaukee, WI

/19 Comments/in /by

On Friday, WannaCry hero Marcus Hutchins (AKA MalwareTech) was granted bail by a Las Vegas judge; he will pay his bail on Monday, then have to travel, without a passport to show TSA, to Milwaukee for a court appearance Tuesday (I’m contemplating hopping the ferry for the hearing).

I’d like to focus on the venue, how it is that a British malware researcher came to be charged in Flyover USA for the crime of making malware.

Thomas Brewster-Fox wrote an important piece on Friday trying to figure out what a lot of people have been asking: what is Kronos, which a lot of researchers never really heard of. He notes that the malware was a bust in the criminal malware market.

The reduced price hints at another truth about Kronos: it was largely a failure amongst serious cybercriminals. There was early anticipation in 2014 it could go big, as prolific and profitable as one of its forbears, the banking malware known as Zeus. In an email to your reporter from RSA’s Daniel Cohen in 2014, he wrote: “Waiting to see whether Kronos turns into something. At this point it’s just a post on a forum, no sample or binary yet. It could be an interesting development if it does, as it would point to more movement away from the Zeus code.”

In the last 24 months, according to IBM global executive security advisor Limor Kessem, the Trojan emerged with a hefty $7,000 price tag in mid-2014, but actual attacks didn’t launch until the third and fourth quarter of 2015, when the company saw some Kronos malware campaigns hitting UK banks. “But after that timeframe, have not seen much more activity from the malware,” Kessem told Forbes.

“The very last time we saw Kronos activity was a small campaign in November 2016, when Kronos infected a very small number of machines mostly in Brazil, the UK, Japan, and Canada. At that particular time, we did not see fraudulent activity from Kronos, but rather, believe it was used a loader for other malware.

Importantly, IBM global executive security advisor Limor Kessem names the few places where the malware has been deployed: Some UK banks in the last two quarters of 2015 and then, in altered form and function, in a “very small number of machines” in Brazil, UK, Japan, and Canada.

So: UK, Brazil, UK, Japan, and Canada.

Not the US, as far as Kessem notes.

And in fact, the most commonly cited victim, the UK, is where Hutchins is from! Yet among the things the British National Cyber Security Centre — the folks who worked closely with Hutchins as he saved a bunch of NHS hospitals from being shut down due to the WannaCry malware — has been really circumspect about since Hutchins’ arrest is what the case is doing over here in the States.

We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further.

So why are we seeing this case in the US — in Milwaukee, of all places?!?! — rather than in the UK where some of its few victims are?

The indictment against Hutchins includes just two actions he is alleged to have taken personally.

Defendant MARCUS HUTCHINS created the Kronos malware. (¶4a)

[snip]

In or around February 2015, defendants MARCUS HUTCHINS and [redacted] updated the Kronos malware. (¶4d)

All the other overt actions described in the indictment were done by Hutchins’ as yet unknown (even to him, per reports!) and still at-large co-defendant. That includes this action:

On or about June 11, 2015, defendant [redacted] sold a version of the Kronos malware in exchange for approximately $2,000 in digital currency. [emphasis mine]

Most the other charges — counts three through six — cite that June 11 sale. So it’s that sale, in which Hutchins was not alleged to be involved and the alleged perpetrator of which hasn’t yet been arrested, that seems to be the core of the crime.

This Beeb article, by far the most detailed accounting of Hutchins’ arraignment, provides these details.

Prosecutors told a Las Vegas court on Friday that Mr Hutchins had been caught in a sting operation when undercover officers bought the code.

They claimed the software was sold for $2,000 in digital currency in June 2015.

Dan Cowhig, prosecuting, also told the court that Mr Hutchins had made a confession during a police interview.

“He admitted he was the author of the code of Kronos malware and indicated he sold it,” said Mr Cowhig.

The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant – who has yet to be arrested – where the security researcher complained of not receiving a fair share of the money.

From this, it might be safe to assume that some law enforcement officer, possibly working undercover in the Eastern District of WI, bought a bunch of shit off AlphaBay in 2015, including a copy of (a version of) the Kronos malware. The purchase (and the version of code) wasn’t sufficiently interesting last year to arrest Hutchins when (I believe) he came for the Las Vegas cons.

Nor was it interesting enough to the UK, where some of Kronos’ few victims are, to prosecute the sale (which, because conspiracy laws are not as broad as they are here in the US, might not have reached Hutchins in any case, and certainly wouldn’t have exposed him to decades of incarceration).

But this year, in the days after the Alpha Bay seizure (and several months after Hutchins helped to shut down WannaCry), prosecutors presented that $2000 sale to a grand jury in ED WI, after which an arrest warrant was sent out to Las Vegas, just in time to arrest Hutchins on his way out of the country, after most the unruly hackers had departed from Las Vegas.

Arresting Hutchins only as he left — and playing whack-a-mole moving him from one detention center to another — gave authorities the opportunity to interview Hutchins without an attorney, where — prosecutor Dan Cowhig claims, Hutchins “made a confession,” — not that he “created the Kronos malware,” which is what the indictment alleges, but instead that he “was the author of the code of Kronos malware.” That “confession” sounds like the kind of thing an overly helpful person might explain if asked to explain this tweet in circumstances where he didn’t have a lawyer.

So here’s what may be going on.

In the aftermath of the AlphaBay seizure, authorities in the US decided to wade through what they could charge from past purchases off the marketplace, and either remembered or stumbled on this remarkably minor sale. Perhaps because of Hutchins’ fame, or perhaps because someone is unhappy about Hutchins’ fame, it was prioritized in a way it otherwise would not have been. And, as always, the US used convenient travel as a way to nab foreign alleged hackers to pull into America’s far more onerous than its allies criminal justice system.

It’s not even clear, however, that that explains the Milwaukee venue. Recall that DOJ first charged Pyotr Levashov (and therefore first deployed its now legally sanctioned Rule 41 warrant) for the Kelihos botnet in Alaska, even though he’ll be tried in CT if he’s ever extradited to the US. The FBI reorganized the way they investigate cyber crimes in 2014 (no longer tying the investigation to the geography of the crime) and with Rule 41 and international crimes, they’ll be able to do so far more in the future. But at least with Levashov, there were victims referenced in the complaint, whereas here, the only act that may have taken place in ED WI is that purchase, if it even did.

All that said, the venue is a far less interesting question than whether the FBI really has evidence tying Hutchins to intending his code to be used for malware, or if they’ve just made a horrible mistake.